NIST Revamps CVE Framework to Focus on High-Impact Vulnerabilities

VULNERABILITIES & THREATS NEWS Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. NIST Revamps CVE Framework to Focus on High-Impact Vulnerabilities The National Institute of Standards and Technology carved a new path for vulnerability remediation by changing the way it prioritizes software flaws. Arielle Waldman,Features Writer,Dark Reading April 16, 2026 4 Min Read SOURCE: KTDESIGN VIA ADOBE STOCK PHOTO The National Institute of Standards and Technology (NIST) is changing its criteria for determining which software flaws fall under its Common Vulnerabilities and Exposures (CVEs) framework, citing challenges in keeping up with an ever-increasing volume of vulnerabilities. It's not easy for enterprise defenders to know how to organize the many vulnerabilities in their environments or know where to focus their patch management activities. Many of them rely on NIST, which manages the National Vulnerability Database (NVD), to help prioritize the more critical flaws. However, NIST is also overwhelmed by the number of vulnerabilities reported daily and has struggled to classify them and assign scores based on various exploitation risk factors, such as required privileges and user interaction. There is a significant backlog, and multiple efforts over the past five years have focused on helping NIST analyze vulnerability reports and enter them into the NVD.  Related:Automotive Cybersecurity Threats Grow in Era of Connected, Autonomous Vehicles The announcement, posted on NIST's website this week, indicate the situation may be more dire than previously understood. The agency is struggling to "keep up with growing submissions" and starting April 15, will provide details only for a subset of CVEs, NIST said.   How Will Vulnerabilities Be Prioritized?  NIST said the new approach will be "risk-based." All submitted vulnerabilities will continue to be added to the NVD, but how they will be prioritized will change. The flaws to be analyzed will fall into one of the following categories: those added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities (KEV) catalog, and those found in critical software as defined by the Executive Order (EO 14028) on Improving the Nation's Cybersecurity. The KEV catalog lists vulnerabilities in software used by the federal government that are actively being exploited, and EO 14028 prioritizes flaws based on whether they run with elevated privileges and are designed to control access or operational technology, among other criteria.  Previously, NIST provided its own severity score for all CVEs along with descriptions and affected products. That will now change, to "reduce duplication of effort and allow us to focus our resources more effectively."  The agency also said its inability to clear the backlog is directly the result of increased submission volumes. Going forward, all backlogged reports will now be deferred and marked as "Not Scheduled." One important caveat: anything that was included in the KEV would not be deferred. Related:Beauty in Destruction: Exploring Malware's Impact Through Art 'Real-world Exploitability'  Improved detection tools, artificial intelligence, more bug bounty initiatives, vastly expanded attack surfaces, and the rapid pace of code development all contributed to the exploding volume of vulnerabilities. NIST emphasized that CVE submissions "increased 263% between 2020 and 2025", adding that the "first three months are 2026 are nearly one-third higher than the same period last year."    Experts agree that NIST's previous approach was bound to fail at some point and require a more shared responsibility model.   What NIST is acknowledging is something the research community has understood for years: You cannot centralize vulnerability triage at this volume and expect it to hold, explained Trey Ford, chief strategy and trust officer at Bugcrowd.  "The signal that actually drives remediation priority has always come from real-world exploitability, not database metadata, and that requires human researchers with adversarial instincts working continuously against live environments," Ford said.  He anticipates that the next generation of vulnerability programs will be built around that kind of active, distributed signal – not quarterly enrichment cycles. Is The New Approach Beneficial? Related:Pwn2Own Underscores Secure Development Concerns Active and proactive approaches will be essential moving forward. Attackers are exploiting zero-day, and known vulnerabilities at alarming rates, while organizations face resource shortages.   The backlog forced a necessary shift from reactive compliance based on raw CVSS scores to proactive risk management driven by threat intelligence, says David Lindner, CISO of Contrast Security.  "NIST's decision to prioritize high impact vulnerabilities signals the end of an era where security teams could rely on a single government database to categorize every software flaw," Linder said. "Modern defenders must move beyond the noise of total CVE volume and instead focus their limited resources on the CISA KEV list and exploitability metrics."     The transition could disrupt legacy auditing workflows but may be better for organizations in the long run, revealed Linder. He views it as a way to demand that the industry prioritizes "actual exposure over theoretical severity." "Relying on a curated subset of actionable data is far more effective for national resilience than maintaining a comprehensive but unmanageable archive of every minor bug," Linder says.  Read more about: CISO Corner About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.     Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 VULNERABILITIES & THREATS AI Agents Fail in Novel Ways, Put Businesses at Risk by Robert Lemos, Contributing Writer MAY 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge СLOUD SECURITY Why Orgs Need to Test Networks to Withstand DDoS Attacks During Peak Loads APR 13, 2026 CYBERSECURITY OPERATIONS RSAC 2026: How AI Is Reshaping Cybersecurity Faster Than Ever APR 7, 2026 CYBERSECURITY OPERATIONS Human vs. AI: Debates Shape RSAC 2026 Cybersecurity Trends APR 7, 2026 CYBER RISK Lies, Damned Lies, and Cybersecurity Metrics APR 7, 2026 Read More The Edge Want more Dark Reading stories in your Google search results? BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS